Embed Size (px)
Citation preview
How to implement Security Using: SAP WebDispatcher and SSL Authentication into J2EE application (like EP) using X.509 client certificates Swap an expired SSL certificate to a new one
Background and Requirement:
The following document will describe how the NCC portal security was implemented. This documented should be used for SAP Consulting knowledge sharing purposes only. Do not distribute this to non-SAP parties as it contains sensitive information like the hostnames of our architecture.
The NCC portal infrastructure consisted of 3 servers:Tsphl834.phl.sap.corp – DatabaseTsphl845.phl.sap.corp – CI + SCS + 1 J2EE Dispatcher + 2 Server NodesTsphl884.phl.sap.corp - 1 J2EE Dispatcher + 2 Server Nodes
An instance of SAP Web Dispatcher was created to run on tsphl834.phl.sap.corp to provide a single point of entry to the portal infrastructure and also load balance the traffic to the J2EE cluster evenly.
There was also a need to provide SSL communications to the end user along with Client Certificate authentication. Each end user would have a unique client X.509 certificate which would be forwarded by the browser. The following is an example.
Design:
The SAP WebDispatcher would have to accept and decrypt incoming SSL requests which have the X.509 client certificate as well. Once it receives this, the SAP WebDispatcher would have to:
1. Extract the X.509 certificate information and add them to the HTTP header request to be forwarded to the backend application.
2. Re-encrypt the outgoing request with another SSL certificate and forward it to the backend application. This is would be a self-signed certificate.
3. The backend J2EE engine is configured to receive the request, decrypt it, use the X.509 certificate information from the HTTP header variables, trust the enduser’s identity from the client certificate’s information and authenticate them into the application.
The SAP WebDispatcher profile file:
---------- BEGIN OF PROFILE FILE -------------------------------
# Profile generated by sapwebdisp bootstrap## unique instance numberSAPSYSTEMNAME = WDDSAPSYSTEM = 01#
# Accesssability of Message Serversrdisp/mshost = tsphl845.phl.sap.corpms/http_port = 8101# ms/https_port=8104# ms/server_port_0=3601
## SAP Web Dispatcher Parameterwdisp/auto_refresh = 120wdisp/max_servers = 100
# SAP Web Dispatcher Web Administrationicm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin
# SAP Web Dispatcher Portsicm/server_port_0 = PROT=HTTP,PORT=80, TIMEOUT=900icm/server_port_1 = PROT=HTTPS, PORT=443, TIMEOUT=900
# SAP Web Dispacher Security Info# Location of SAP Crypto Lib and PSE
DIR_INSTANCE = D:\sapwebdispatcherssl/ssl_lib = D:\sapwebdispatcher\sapcrypto.dllssl/server_pse = D:\sapwebdispatcher\sec\SAPSSLS.psessl/client_pse = D:\sapwebdispatcher\sec\SAPSSLC.pse
# Re-Encryption of outgoing request to Backend Applicationwdisp/ssl_encrypt = 1wdisp/ssl_auth = 2wdisp/ssl_cred = D:\sapwebdispatcher\sec\SAPSSLC.psewdisp/ssl_certhost = nccportal.phl.sap.corp#
# Description of the Resourcesicm/min_threads = 20icm/max_threads = 40icm/max_conn = 500
# Communication Buffermpi/total_size_MB = 100mpi/buffer_size = 65536
# Forwarding X.509 Digital Certificate to the backend applicationicm/HTTPS/forward_ccert_as_header = trueicm/HTTPS/trust_client_with_issuer = CN=SSO_CA,O=SAP-AG,C=DEicm/HTTPS/trust_client_with_subject = CN=SSO_CA,O=SAP-AG,C=DEicm/HTTPS/verify_client = 1
---------- END OF PROFILE FILE -------------------------------
The text highlighted in Yellow is to accept incoming SSL requests from end-users.The text highlighted in Green is to re-encrypt and forward the SSL request to the backend application.The text highlighted in Dark Yellow is read the X.509 client certificate from the incoming request and forward it to the backend application in the request header.
The SSL Setup for SAP WebDispatcher:
Most of the SSL set up is documented on the SAP Online Help Portal. Please follow the following link to find out more.
http://help.sap.com/saphelp_erp2005/helpdata/en/39/09a63d7af20450e10000000a114084/frameset.htm
Steps performed:
Created SAPSSLS.pse and a certificate request for the PSE. This certificate was externally signed by CA and imported into the SAPSSLS.pse. Follow the link above.
Created a certificate for SAPSSLC.pse of WebDispatcher.
D:\sapwebdispatcher\sec>sapgenpse gen_pse -p SAPSSLC.pse -x <password>get_pse: Distinguished name of PSE owner: CN=nccportal.phl.sap.corp,OU=NCC,O=SAP,L=Philadelphia,ST=Pennsylvania,C=USPKCS#10 certificate request for "D:\sapwebdispatcher\sec\SAPSSLC.pse":
-----BEGIN CERTIFICATE REQUEST-----MIIBuDCCASECAQAweDELMAkGA1UEBhMCVVMxFTATBgNVBAkTDFBlbm5zeWx2YW5pYTEVMBMGA1UEBxMMUGhpbGFkZWxwaGlhMQwwCgYDVQQKEwNTQVAxDDAKBgNVBAsTA05DQzEfMB0GA1UEAxMWbmNjcG9ydGFsLnBobC5zYXAuY29ycDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA//hfVi6O8vFXdU/lWVHMr8R35xAcQee/nPZqeVWvBYJVbCzgjzIugVQKco2dZxOoruUqyBR9bE92shSxJM/+9pXKyOGvf7yv27xHWY4Wn/Kdxi008M57gj4JWb5Vxo4C6w7ZHp0SCt+nJ5IaXWkd8vpcq4kfrjOaYtvQJrw2K3kCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAIaLQTFY1ERCiniNap8/D4UL9G0c+9JP2UinWaTlUdhIUDIz7CAZ0dq/xedL6Ok5iNN0lT5J9cRn49vT044NuRGNaYbXD/hlDShYHQ1tK7dYmberbL7JEqtfOcTc2eCKFiXlwm9AEq5pXd/7RdDKUAuEuee9UcaSa2U+OsWBmtXk-----END CERTIFICATE REQUEST-----
Exported the certificate from SAPSSLC.pse of WebDispatcher. Export that certificate from the Client PSE in P12 format and use that P12 certificate to import back to the J2EE server since it will only import p12 formatted certificates.
D:\sapwebdispatcher\sec>sapgenpse export_p12 -p SAPSSLC.pse -x <password> nccportal.p12Please enter PKCS#12 encryption password:
For verification, please reenter password:
Imported the nccportal.p12 certificate file into the EP’s J2EE Engine’s Keystore.
Configured both the J2EE dispatchers to use the self signed certificates for all its connections.
To Read X.509 certificate from incoming request to SAP WebDispatcher:
Added the SSO root certificate to the public key list of SAPSSLS.pse of WebDispatcher.
D:\sapwebdispatcher\sec>sapgenpse maintain_pk -p SAPSSLS.pse -a SSO_CA.cerPlease enter PIN:----------------------------------------------------------------------------Subject : CN=SSO_CA, O=SAP-AG, C=DE
PKList updated (1 entries total, 1 newly added)
Viewing the public key list of SAPSSLS.pse of webDispatcher.
D:\sapwebdispatcher\sec>sapgenpse maintain_pk -p SAPSSLS.pse -lPlease enter PIN:*** Object <PKList> is of the type <PKList_OID> ***
1. ------------------------------------------------------------- Version: 2 (X.509v3-1996) SubjectName: CN=SSO_CA, O=SAP-AG, C=DE IssuerName: CN=SSO_CA, O=SAP-AG, C=DE SerialNumber: 00 Validity - NotBefore: Mon May 04 08:59:33 1998 (980504125933Z) NotAfter: Mon May 03 08:59:33 2010 (100503125933Z) Public Key Fingerprint: 0437 9264 5918 EB82 F7A2 A8C2 D5F2 A32F SubjectKey: Algorithm RSA (OID 1.2.840.113549.1.1.1), NULL Certificate extensions: AuthorityKeyIdentifier: Key Identifier: 1397 77DB 5819 F071 802F 37BC 30CF 36BC 4838 D2A0 Subject Key Identifier: 1397 77DB 5819 F071 802F 37BC 30CF 36BC 4838 D2A0 Key Usage: (CRITICAL) digitalSignature nonRepudiation keyEncipherment dataEncipherment keyCertSign cRLSign Basic Constraints: allowed to act as a CA !
Configure the backend J2EE engine as described in the following link.http://help.sap.com/saphelp_nw04/helpdata/en/62/881e3e3986f701e10000000a114084/frameset.htm
The following screenshots about the J2EE configurations will provide you more information:
Replacing expired SSL Cert:
The current SSL certificate in SAPSSLS.pse was the test SSL certificate from the CA which was valid for only 2 months. A CSR was created from SAPSSLS2.pse for which a valid SSL cert valid for 1 year was received. The following steps describe how the 2 certs were exchanged.
D:\sapwebdispatcher>sapgenpse import_own_cert –p D:\sapwebdispatcher\sec\SAPSSLS2.pse -c D:\sapwebdispatcher\sec\Validcert.cer -x <password>import_own_cert: Installation of certificate failedERROR in ssf_install_CA_response: (1280/0x0500) Incomplete FCPath, needcertificate of CA : "[email protected], OU=TC TrustCenter Class 2 CA,O=TC TrustCenter for Security in Data Networks GmbH, L=Hamburg, SP=Hamburg,C=DE"ERROR in ssf_install_certs_into_pse: (1280/0x0500) Incomplete FCPath, needcertificate of CA : "[email protected], OU=TC TrustCenter Class 2CA, O=TC TrustCenter for Security in Data Networks GmbH, L=Hamburg, SP=Hamburg,C=DE"
The above result determined that the root certificate was also needed to be imported to satisfy the certificate chain. Hence, got CA certs from www.trustcenter.de - TC_RootServer_DER_Class2.cer and TC_RootServer_PEM_Class2.cer for server carriers and tried importing them into SAPSSLS2. The results are:
D:\sapwebdispatcher>sapgenpse import_own_cert –p D:\sapwebdispatcher\sec\SAPSSLS2.pse -c D:\sapwebdispatcher\sec\Validcert.cer –r D:\NCC_Certs\TC_RootServer_PEM_Class2.cer -x <password>import_own_cert: Installation of certificate failedERROR in ssf_install_CA_response: (9/0x0009) af_verify_Certificates failedERROR in ssf_install_certs_into_pse: (9/0x0009) af_verify_Certificates failedERROR in af_verify_Certificates: (12851/0x3233) Verification of one certificateof path failed because there are no basic constraintsERROR in check_basicConstraints: (12851/0x3233) Verification of one certificate
of path failed because there are no basic constraints
AND
D:\sapwebdispatcher>sapgenpse import_own_cert –p D:\sapwebdispatcher\sec\SAPSSLS2.pse –c D:\sapwebdispatcher\sec\Validcert.cer –r D:\NCC_Certs\TC_RootServer_DER_Class2.cer -x <password>import_own_cert: Installation of certificate failedERROR in ssf_install_CA_response: (9/0x0009) af_verify_Certificates failedERROR in ssf_install_certs_into_pse: (9/0x0009) af_verify_Certificates failedERROR in af_verify_Certificates: (12851/0x3233) Verification of one certificateof path failed because there are no basic constraintsERROR in check_basicConstraints: (12851/0x3233) Verification of one Certificate of path failed because there are no basic constraints
Decided to download the certificate from IE 6.0. Went to IE 6.0 and exported the TrustCenter Root Cert.IE -> Tools -> Internet Options -> Content -> Certificates -> Trusted Root Certificate Authorities -> TC TrustCenter Class 2 CA -> Export -> Save as Base 64 encoded (.CER) file.
D:\sapwebdispatcher>sapgenpse import_own_cert –p D:\sapwebdispatcher\sec\SAPSSLS2.pse -c D:\sapwebdispatcher\sec\Validcert.cer –r D:\NCC_Certs\FromBrowser.cer -x <password>CA-Response successfully imported into PSE "D:\sapwebdispatcher\sec\SAPSSLS2.pse"
The above command was completed successfully. Renamed current SAPSSLS.pse to SAPSSLS.pse.old. Renamed SAPSSL2.pse to SAPSSLS.pse. Reason to do this was that the cred_v2 file had credentials for only SAPSSLS.pse file and not SAPSSLs2.pse.
Restarted WebDispatcher. Everything worked fine. Logs did not complain about initializing the SAPSSLS.pse. Log onto EP and double-click the SSL lock icon in the bottom part of IE. You can check the “Certification Path” tab and see that the certificate chain is now completely implemented as shown below.
But client authentication did not work. Had to add the SSO-CA.cer to the PK List of the "new" SAPSSLS.pse.
D:\sapwebdispatcher\sec>sapgenpse maintain_pk -p SAPSSLS.pse -a SSO_CA.cerPlease enter PIN:----------------------------------------------------------------------------Subject : CN=SSO_CA, O=SAP-AG, C=DE
PKList updated (1 entries total, 1 newly added)
Restarted WebDispatcher. Client Authentication now worked fine.
