Sunday, January 28, 2018

Refreshing The SSL/TLS/HTTPS Configuration of the ABAP Developer Edition 751 NPL System

Refreshing The SSL/TLS/HTTPS Configuration of the ABAP Developer Edition 751 NPL System

Background

I wanted to setup and use my ABAP developer edition with SSL/TLS/HTTPS, but first I found myself tidying up the profiles of the trial NPL system here.


The end of this blog I mentioned two parameters SAPFQDN and SAPLOCALHOSTFULL and these were blank in my system.
In transaction RZ11 - checking SAPFQDN shows no values



So back in RZ10 I opened profile DEFAULT.PFL with extended maintenance and change mode



SAPFQDN = dummy.nodomain
SAPLOCALHOSTFULL = $(SAPLOCALHOST).$(SAPFQDN)

* I took dummy.nodomain as that was used in my original installation following the SAP SCN blog here



SAVED the profile
Ignored the errors by selecting NO (error related to db cache and unknown parameter and not of concern)


Answered YES to update the profile


And answered with the green tick over the next few screens


A SAP restart is required so I used the sapcontrol commands as discussed in my previous blog to restart the system

sapcontrol -nr 00 -function GetSystemInstanceList   checking the status of the system should be GREEN
sapcontrol -nr 00 -function StopSystem                      stops SAP
sapcontrol -nr 00 -function GetSystemInstanceList   Wait for the system status to go GRAY
sapcontrol -nr 00 -function StartSystem                      starts SAP

After the system started I checked SAPFQDN and SAPLOCALHOSTFULL




Both parameters have been set (only showing SAPLOCALHOSTFULL as that is made up of SAPFDN value :) )

For my setup I have added a network card to my virtualbox setup to allow full access from my host virtualbox running on my MAC and guest SUSE SAP system.

Basically I added a Bridged Network Adapter


I have highlighted the MAC Address as I use my internet routers ability to assign a fixed IP addresses via the MAC Address.

E.g. in my router I have the options for DHCP




By defining the virtualbox Mac address I can have a permanent IP address for my SAP Developer NPL instance.

I then update my local hosts files on my Mac,

robert$ grep 39 /etc/hosts
192.168.0.39 vhcalnplci.dummy.nodomain vhcalnplci.mydomain.com



I will come back to the mydomain.com  entry but first I can now use the 192.168.0.39 IP address in my SAPGUI Java connection settings.


Accessing the Fiori Launchpad with Chrome show the following error 

Checking out the certificate in Chrome



The setup of the certificate is a self signed one - which we could trust and allow as I know the source.
However I wanted to build on top of this and went to setup my own Certificate Authority with OpenSSL. Self signed certificates are fine for standalone systems or manually dealing with each certificate but I prefer a main root CA as it makes things easier for me in the long term.

So....... how to set up my own Certicate Authority and keep it simple ;) . To cut a long story short I went with CA.pl which is part of Openssl


It comes with the following statement

The script is intended as a simple front end for the openssl program for use by a beginner. Its behaviour isn't always what is wanted. For more control over the behaviour of the certificate commands call the openssl command directly.
Over time I have built up a script that controls my use of CA.pl and I have the feeling that I will end up eventually replacing the CA.pl in the script with openssl commands. However CA.pl works for me for my current use cases. I am sharing - basically to document it for myself :0 and hope you may find some of it useful as well.

The script is setup as GIST here

https://gist.github.com/rjruss/273e3a82611310d6b35c6b1ddb48bee1


On my ABAP Virtualbox server I installed GIT

vhcalnplci:~ # apt-get install git

Updating /etc/sysconfig/svnserve...


(16/19) Installing: subversion-perl-1.9.7-8.1.x86_64 .....................[done]
(17/19) Installing: subversion-bash-completion-1.9.7-8.1.noarch ..........[done]
(18/19) Installing: libsvn_auth_gnome_keyring-1-0-1.9.7-8.1.x86_64 .......[done]
(19/19) Installing: git-svn-2.13.6-7.1.x86_64 ............................[done]
vhcalnplci:~ # pwd
/root
vhcalnplci:~ # git --version
git version 2.13.6


Next up was to clone my script and move it to directory /home/npladm/CA

vhcalnplci:~ # su - npladm
vhcalnplci:npladm 53> pwd
/home/npladm
vhcalnplci:npladm 54> mkdir CA
vhcalnplci:npladm 55> cd CA
vhcalnplci:npladm 56> pwd
/home/npladm/CA
vhcalnplci:npladm 57> git clone https://gist.github.com/273e3a82611310d6b35c6b1ddb48bee1.git

Cloning into ......
Unpacking objects: 100% (3/3), done.

vhcalnplci:npladm 60> cd *
vhcalnplci:npladm 62> ls -lrta
total 8
drwxr-xr-x 1 npladm sapsys   64 Jan 28 00:51 ..
drwxr-xr-x 1 npladm sapsys   50 Jan 28 00:51 .
-rw-r--r-- 1 npladm sapsys 7445 Jan 28 00:51 rjruss_controlCApl.sh
drwxr-xr-x 1 npladm sapsys  138 Jan 28 00:51 .git
vhcalnplci:npladm 63> mv rjruss_controlCApl.sh ..

vhcalnplci:npladm 68> pwd
/home/npladm/CA
vhcalnplci:npladm 69> ls
e24e36d373a95b7ed5cd05dd7340791e  rjruss_controlCApl.sh
vhcalnplci:npladm 70> chmod 775 rjruss_controlCApl.sh


***important changes if you do want to carry on and run this script.
Edit the script and change the default settings below to text that is more relevant to your use case. :)
Basically it sets up my name and email etc so I can just hit enter in the scripts ( I can always type something different at prompts but the defaults are handy and make things quicker for me).**IMPORTANT** to not change the line "commonName_default = \${ENV::CN}" as it is essential for the script.

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GB
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = West Midlands
localityName = Locality Name (eg, city)
localityName_default = Solihull
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Mine
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Haw
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = \${ENV::CN}
commonName_max = 125
emailAddress = Email Address
emailAddress_default = rob.roosky@yahoo.com
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name


No my scripts will be used to create a CA root certificate and sign the ABAP NPL CSR - Certificate Signing Request 

In transaction STRUST 


Click in the icon to enter "change" mode then "double click" the SSL server Standard - so that CN=*dummy.nodomain ... is displayed in the "own Certificate" section

Right click on SSL Server Standard and enter the "replacement wizard" - Read SAP notes for information.
2414090 - STRUST wizard to replace existing key pairs
1178155 - Replacing PSEs in productive SSL Servers



Click on Start




I kept the Distinguished name the same.


I kept the default for the Algorithm


Clicked on the Create Key Pair


At this point we need to stop and copy the text above into a file on the SUSE host in /home/npladm/CA/newreq.pem  


First RUN of the CA.pl control script will create a ROOT CA certificate in /home/npladm/CA/demoCA/cacert.pem


vhcalnplci:npladm 77> ./rjruss_controlCApl.sh
/usr/share/ssl/misc/CA.pl
Creating openssl config file ssl.cnf 
./demoCA
CA.pl default directory demoCA not found
Using the CA.pl script to create new certificate authority in current dir

Enter a NAME for this Certificate Authority
 Enter Common Name e.g. vhcalnpl1.dummy.domain
Enter Common Name : Robert Russell's BLOGGER CA - @rjruss
Robert Russell's BLOGGER CA - @rjruss
Continue (Y/N) answer N to enter Common Name again :y
y

REMEMBER the password at the Enter PEM phrase prompt-password NEEDS to be between 4 to 20 chars long
Press Enter to create new root CA at next prompt
CA certificate filename (or enter to create)
      
Making CA certificate ...
Generating a 2048 bit RSA private key
...+++
....+++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [West Midlands]:
Locality Name (eg, city) [Solihull]:
Organization Name (eg, company) [Mine]:
Organizational Unit Name (eg, section) [Haw]:
Common Name (e.g. server FQDN or YOUR name) [Robert Russell's BLOGGER CA - @rjruss]:
Email Address [rob.roosky@yahoo.com]:
Using configuration from ./tmpssl/ssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            cc:4d:d3:9a:ea:7a:36:39
        Validity
            Not Before: Jan 28 01:28:20 2018 GMT
            Not After : Jan 27 01:28:20 2021 GMT
        Subject:
            countryName               = GB
            stateOrProvinceName       = West Midlands
            organizationName          = Mine
            organizationalUnitName    = Haw
            commonName                = Robert Russell's BLOGGER CA - @rjruss
            emailAddress              = rob.roosky@yahoo.com
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                6F:75:4A:08:FE:64:5E:F7:48:F1:05:71:8C:9B:2D:16:43:28:11:87
            X509v3 Authority Key Identifier: 
                keyid:6F:75:4A:08:FE:64:5E:F7:48:F1:05:71:8C:9B:2D:16:43:28:11:87

            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
Certificate is to be certified until Jan 27 01:28:20 2021 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
0
Root Certificate Authority based on CA.pl 
1) newreq (with encrypted key)
2) newreq-nodes (without encrpted key)
3) sign (already existing CSR in newreq.pem)
4) Quit

Hopefully the script prompts highlight the stages of the creation of the certificate authority. As the detault directory demoCA does not exist yet in /home/npladm/CA then CA.pl -newca is run to create the root certificate file.

**Important to remember the password entered at the line
 Enter pass phrase for ./demoCA/private/cakey.pem:
** As this password will be need ALL the time to sign requests 

Sign the NPL CSR REQUEST


Perviously I copied the ABAP NPL Certificate Signing Request (CSR) into the file newreq.pem,  I now need to run the script but choose option 3 this time to sign the request. Output as follows.

vhcalnplci:npladm 80> ./rjruss_controlCApl.sh
/usr/share/ssl/misc/CA.pl
Creating openssl config file ssl.cnf 
./demoCA
Root Certificate Authority based on CA.pl 
1) newreq (with encrypted key)
2) newreq-nodes (without encrpted key)
3) sign (already existing CSR in newreq.pem)
4) Quit
Pick an option: 3
You picked sign (already existing CSR in newreq.pem) which is option 3
***Use [[*.dummy.nodomain]] from request as SAN name
 Enter Subject Alternate Names 
 By default *.dummy.nodomain will be used as a SAN
 hostname -a for this host = vhcalnplci.dummy.nodomain
 Enter one SAN at a time and use N at the continue prompt to exit
 current SAN = DNS:*.dummy.nodomain, 
Enter new SAN Names one at a time (or leave blank & press enter): *.mydomain.com
DNS:*.dummy.nodomain,DNS:*.mydomain.com,
Press enter to input another SAN| N to exit| R reset entry (Y/N/R):n
n

press ENTER TO SIGN NEW REQUEST
Using configuration from ./tmpssl/ssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            cc:4d:d3:9a:ea:7a:36:3a
        Validity
            Not Before: Jan 28 01:35:55 2018 GMT
            Not After : Jan 26 01:35:55 2028 GMT
        Subject:
            countryName               = DE
            organizationName          = SAP Trust Community
            organizationalUnitName    = SAP Web AS
            organizationalUnitName    = IDEMOSYSTEM
            commonName                = *.dummy.nodomain
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                90:58:AD:2F:8B:0B:57:68:B3:B2:A7:8D:15:F5:B3:DD:05:68:DD:19
            X509v3 Authority Key Identifier: 
                keyid:6F:75:4A:08:FE:64:5E:F7:48:F1:05:71:8C:9B:2D:16:43:28:11:87

            X509v3 Subject Alternative Name: 
                DNS:*.dummy.nodomain, DNS:*.mydomain.com
Certificate is to be certified until Jan 26 01:35:55 2028 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

Copying all files to new directory *.dummy.nodomain
cp: cannot stat 'newkey.pem': No such file or directory

The last line error at the end of the script is not run an issue as there is no newkey.pem created as it is only signing a CSR with no key.

The signing option 3 in the script will loop through and ask for Subject Alternate Names (SAN) for the certificate as this is important for Chrome.

So I know have the two pieces I need for the signing of the ABAP NPL dev CSR.

vhcalnplci:npladm 83> ls -l *.dummy.nodomain/newcert.pem demoCA/cacert.pem
-rw-r--r-- 1 npladm sapsys 4716 Jan 28 01:28 demoCA/cacert.pem
-rw-r--r-- 1 npladm sapsys 4955 Jan 28 01:35 *.dummy.nodomain/newcert.pem

The content of these files will be required BUT only the BEGIN - END part of the certificate file as highlighted below.

In the screen shot I have only selected the relevant part of cacert.pem file to copy into the STRUST wizard


Both files contents need to be pasted in the signing section of the wizard above.
Then I hit the "Import Certificate Response" button.



HIT F3 TO GO BACK


I now have a SIGNED certificate - but it wont solve all my issues in chrome yet......


My certificate is signed but my ROOT CA is still untrusted - so I need to import it into my MAC as trusted ( I could have done that with the self signed one earlier :O but that is not my end game - I will be doing more things with the ROOT CA which will make life a bit easier).

I copied my cacert.pem file to my Mac as a blogger.crt file and imported into keychain and set it up to be always trusted.


I now had a secure connection in Chrome :) but and obsolete message in the security tab :(


To fix the obsolete connection setting I changed another NetWeaver parameter related to ciphersuites

There is a great blog on testing these settings on the SAP SCN site.


In the end I went with the following
sapgenpse tlsinfo PFS:HIGH

PFS : Perfect forward secrecy: key agreement with ephemeral keys HIGH : High security cipher suites (except PFS)


So I updated the DEFAULT profile again with this setting. (YOU NEED TO BE VERY CAREFUL CHANGING THESE PARAMETERS ON ANY SERVER as it would remove any legacy support for any older cipher suites with server/client options - I only wanted to get rid of a Chrome message :))

ssl/ciphersuites = PFS:HIGH

And while I was there I thought I may as well enable HTTP2 as well :)

icm/HTTP/support_http2=true


After a RESTART all is good :)


















No comments:

Post a Comment

Google +