SMP 3 – Configuring Strong Encryption for JVM Security

Let the world know ...Tweet about this on TwitterShare on Google+0Share on Facebook0Email this to someoneShare on LinkedIn0

SMP 3 is a Java application running inside Virgo. To not have to worry about Java versions and installation, the installer even installs SAP JVM together with the server. So you have a SMP 3 installation and a Java installation at hand. This means that you get automatically Java security features … and some legacy problems that come from the dark ages of Internet. One is that you have to enable Strong encryption for SMP3’s Java. This is needed at least when you are going to use SAML2 with ADFS as authentication provider. SAML 2 allows the IdP to encrypt the SAML response to make sure only the SP can decrypt it. The encryption algorithm used there is using Strong encryption methods. These are not available by default to Java. They need to be activated manually.

Procedure

The procedure for how to do this can be found at SAP Help. To enable Strong encryption, a policy file must be downloaded from Oracle and placed into a Java folder.

  1. Download policy file.

    URL: http://help.sap.com/disclaimer?site=http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

  2. Click on accept to enable the download link.

  3. Click on the link: UnlimitedJCEPolicyJDK7.zip. This will download a ZIP file. The content of the ZIP file are 2 JAR files. These 2 files must be copied to the SMP 3 Java JVM.

  4. Stop SMP 3 server.
  5. Copy the 2 JAR files to:

    Folder: <SMP3 installation dir>/sapjvm_7/jre/lib/security

  6. The installation path is outlined in the Readme that is part of the downloaded policy file:

    3) Install the unlimited strength policy JAR files.

     

    In case you later decide to revert to the original “strong” but

    limited policy versions, first make a copy of the original JCE

    policy files (US_export_policy.jar and local_policy.jar). Then

    replace the strong policy files with the unlimited strength

    versions extracted in the previous step.

     

    The standard place for JCE jurisdiction policy JAR files is:

     

    <java-home>/lib/security [Unix]

    <java-home>\lib\security [Windows]

  7. Restart SMP 3

    Command: go.bat

     

Result

After installing the pocliy file, Java JVM has strong encryption enabled.

Test

If you want to test if it worked: there is a code snippet available on SO.

Just run it as a Java program.

  • Compile: /sap/MobilePlatform3/sapjvm_7/bin/javac TestUCE.java
  • Run: /sap/MobilePlatform3/sapjvm_7/bin/java TestUCE
  • Result:

     

Let the world know ...Tweet about this on TwitterShare on Google+0Share on Facebook0Email this to someoneShare on LinkedIn0

Leave a Reply

Your email address will not be published. Required fields are marked *